How Hackers of Submarine Cables May Be Held Liable Under the Law of the Sea
Submarine internet cables play a vital role in the modern economy and transmit almost all global internet connections between countries. These cables, however, are vulnerable to interference or hacking by foreign states who seek to obtain the valuable data that passes through them. Because these cables are located on the high seas, however, no country has legal jurisdiction over large portions of them allowing for any number of states or private actors to hack into them and steal valuable information. This Comment evaluates whether states have any legal recourse under public international law against entities that hack into submarine cables. To answer this question, this Comment explores the development of public international law with respect to the high seas and evaluates public international norms for hacking and cyber operations. This Comment then argues, given the weakness of current domestic regimes with respect to submarine cable protections, the International Tribunal of the Law of the Sea can assert jurisdiction over disputes related to submarine hacking. This Comment further makes the novel argument that states can assert damage done to cables through hacking or violations of citizens’ rights to privacy through hacking present potential legal avenues to pursue liability against submarine hacking.
I. Introduction
Contrary to popular belief, the global internet is largely comprised of a network of data cables linking states and continents and not satellite links propelling data through the air.1 In communications between continents, approximately 99% of all telecommunications is transmitted via a network of around 400 underwater, submarine cables.2 For example, to send an email from Boston to Dublin, the GTT Atlantic Cable would route your message under the Atlantic Ocean through Nova Scotia, Northern Ireland, and London before arriving in Dublin.3 This process would take place nearly instantaneously but traverse hundreds of miles of fiber optic cable under the Atlantic Ocean.
These undersea cables are only about the size of a garden hose but represent billions of dollars of productivity and information. If a ship were to drop anchor in the wrong location and sever a cable, internet service could be cut to an entire country.4 If a rogue agent elected to cut the cables to the United States, an estimated $10 trillion in daily financial transfers and vast amounts of data would be clogged up.5 Because damage to submarine cables is so devastating, the international community has devised a number of conventions and domestic protections to protect against cable damage.
More insidiously, however, these cables are also at risk of hacking and intelligence gathering because so much data flows through them. States can use submarines to make small slits in submarine cables and insert listening and data collection devices.6 These spying states then collect all the information that flows through the cables: every overseas telephone call, email, financial transfer, or data upload that passes through the internet from one country to another is collected.7 Encryption of information that passes through these cables somewhat protects against intelligence gathering, but sophisticated operators can often break encryption and can nevertheless obtain useful information through the metadata embedded in encrypted transmissions.8 This massive amount of information provides valuable military, economic, and personal information to the hacking country. This hacking, however, is also a violation of citizens’ privacy and a violation of the hacked states’ economic and military interests.
Out of concern for this sort of hacking, in 2020 the U.S. blocked Google and Facebook from turning on a submarine cable linking the U.S. and Hong Kong.9 Although the 8,000 mile cable had already been laid and hundreds of millions of dollars were spent on its development, the U.S. was too concerned about potential Chinese intelligence pilfering to let the cable go live.10 The decision dramatically demonstrates the U.S.’s fears around submarine cable hacking have grown to exceptional new heights. And the U.S. government’s fears are not misplaced. In 2013, the British spy agency the Government Communications Headquarters (GCHQ) was found to secretly have tapped into undersea cables to gather information.11 In 2015, U.S. sensors detected Russian submarines near undersea cables raising concerns.12 And during the Cold War, the U.S. tapped into Soviet undersea cables and gathered critical intelligence as part of Operation Ivy Bells.13
As the world becomes increasingly interconnected and states increasingly rely on the internet economically, hacking into internet infrastructure becomes a greater threat. The U.S., for example, has undertaken expensive and extensive efforts to remove Huawei from its domestic telecommunication infrastructure to prevent the Chinese government from spying domestically.14 Undersea cables, however, are not so easily protected. Undersea cables are expensive to lay,15 difficult to replace, and often traverse international waters over which states do not have exclusive domain.16
Even with such a large threat, there is an open question as to whether states can protect against submarine cable hacking. The fundamental question this Comment seeks to answer is whether states have any recourse or protections against submarine cable hacking by foreign states under public international law. This Comment argues the increasingly recognized international right to privacy can provide grounds for protecting against submarine cable hacking and that states can enforce this right through dispute resolution mechanisms for the high seas.
This Comment proceeds in five sections to develop this answer. Section II provides a brief overview of the technology behind submarine cables and the methods used in hacking these cables. Section III evaluates current attitudes in the international community with respect to submarine cable hacking and explains why norms around privacy, combined with the incredible resources required to protect cables from hacking, may lead to a shift in states’ treatment of submarine cable hacking.
Section IV explores the history of international treaties and conventions surrounding submarine cables and the high seas. Section V summarizes current public international law related to cyber operations and hacking and discusses the emergence of a newly recognized international right to privacy with respect to telecommunications and personal data. Section VI discusses current scholarly responses to submarine cable hacking to situate this Comment’s solution in present scholarship. And in Section VII, I propose a novel solution addressing the problem of submarine cable hacking using the international right to privacy adjudicated through dispute resolution mechanisms developed for the high seas. The use of the international right to privacy and this dispute resolution body is presently underdiscussed by scholars. This solution further advances the right to privacy as integral to protect against submarine cable hacking and describes how shifts in attitudes toward privacy may contribute to the creation of norms against surveillance hacking.
II. Technical Primer on Hacking and Submarine Cables
This Section describes the network of submarine cables that makes up the modern internet, the technical elements of modern submarine cable hacking techniques, and the possibility of damage by submarine cable hacking. This information is relevant to subsequent possible solutions around submarine cable hacking because international treaties require some protections against incidental or intentional damage to submarine cables, as discussed in Section IV.
Most of the internet is formed through a network of undersea submarine cables.17 About the size of a garden hose, these cables are buried just under the ocean floor by submarine-cable laying ships and transmit internet data between countries.18 While there are some legacy cables that transmit primarily telephone or telegraph information, the majority of modern cables are fiber optic cables that can transmit dozens of Terabytes of data per second.19 While some cables are specially created for military and intelligence transmission purposes, the majority of cables are general in use and transmit commercial, government, and private commercial correspondence simultaneously.20
Because laying and operating a cable across large bodies of water is so costly, most cables were historically financed, laid, and operated by a consortium of multiple owners. For example, the U.S., Japan, and Australia agreed in 2020 to jointly finance a cable link to the Pacific island nation of Palau at a cost of $30 billion.21 Despite this history, individual companies or governments increasingly financed and laid submarine cables.22 For example, in 2020 Google announced it was financing and constructing its own cable linking the U.S., the United Kingdom, and Spain.23
Once laid, cables are maintained and operated by the financing consortium or the private company financing the cable project. These cable operators are responsible for maintenance and repairs for any damage to the cable. Due to their length, most modern cables are outfitted with fault monitoring systems that can detect cable breaks or points of damage for repair.24
States are capable of spying on submarine cables. As discussed below, because the hacking of cables requires specialized equipment including submarines, most experts are concerned with government-sponsored hacking attempts.25 Third-party and private actors, however, are still considered a risk to submarine cables. When four cables linking Europe and the Middle East were simultaneously damaged, many officials and commercial operators alleged private actors had cut the cables.26 Although more sophisticated technology is required to hack a cable compared to destroying one, the threat of terrorists hacking a submarine cable remains even if not manifest to date.27
In general, the process by which intelligence agencies tap into cables is highly secretive. There are some indications, however, as to how it is done. Some reports indicate states use specially designed submarines equipped with devices to splice into cables. In this “splicing method,” the submarine, having broken through the protective coating, installs listening devices within the fiber optic cable to collect transmitted data.28 Some commentators, however, cast doubt on this method due to the possibility of a cable operator detecting a break in data transmission through the cable.29 Some reports nevertheless indicate the techniques are sophisticated enough to not alert cable operators even when external damage to the cable is already done.30 The possibility of damage to the cable or service interruption through splicing is important in the global regulatory regime for cable protections, as will be discussed at length in Section VI.
Other hacking methods appear less obtrusive. Some intelligence analysts have speculated operators gain access to a cable at landing stations—stations fitted with signal boosting equipment and cable access features—in order to install intercept probes that capture the fiber optic light signal and make a copy of it.31 This method, and a similar one involving creating a slight curvature within the cable to siphon off data as it passes through the curve, may not alert an operator that hacking has occurred because the cable does not witness a service interruption seen in splicing.32 While these methods involve some damage to the cable, they may not be easily identified or protected against even by wary states. Generally, while the method used may differ, most methods involve some degree of damage to the submarine cable and some degree of interference with a cable’s data transmission.
III. The Shifting Dialogue Around Submarine Cable Hacking
This Section discusses why submarine cable hacking is a pressing and ripe area for solutions within public international law. As noted above, most of the world’s global powers, particularly the U.S., China, and Russia, enjoy the ability to hack into one another’s cables and may want to reserve that ability. This may indicate few states would be interested in developing norms or international public law against submarine cable hacking. Indeed, the lack of a global convention against peacetime hacking may signal a lack of state interest in curbing this behavior. The ground, however, may be shifting.
First, the volume of information, and in turn sensitive information, that passes through submarine cables is growing. Presently, submarine cables carry 95% of all international communications.33 As countries continue to develop and as crises like COVID-19 require more work and entertainment to be done remotely, global demand for internet bandwidth rises.34 In turn, submarine cable use will only increase. Global consumer IP traffic is expected to rise from 212 Exabytes per month in 2020 to 333 Exabytes per month in 2022.35 Submarine cable bandwidth and traffic are expected to rise by 40% by 2022.36 In 2020 alone, global submarine cable bandwidth rose by 35%.37 Correspondingly, the submarine cable market is expected to grow at approximately 11% by year from 2020 to 2025 increasing the market’s total value from $10.3 billion to $22 billion.38 The need for cable protection then increases as the value and flow of data increases through submarine cables.
Second, while covert and secretive, state hacking and cyber operations only appear to be increasing in scope and frequency. In 2013, leaks revealed the British intelligence service the Government Communications Headquarters (GCHQ) was tapping dozens of fiber optic cables processing over 600 million telephone events and 21 Petabytes of data each day.39 In 2015, American and NATO security forces became concerned with Russian submarines and spy ships increasingly patrolling areas near American submarine cables.40 And the threat of Russian activity has only increased. Russia has built out its submarine fleet,41 and a number of these submarines are claimed to be equipped with cable hacking capabilities.42
This buildout of state capabilities to hack submarine cables has shifted states’ behavior with respect to submarine cables and hacking generally. Out of concern of Chinese hacking attempts, as mentioned above, U.S. regulators prevented the Pacific Light Cable Network connecting the U.S. and Hong Kong from going live.43 This was seen as a dramatic move because Google and Facebook had already spent over $300 million to construct the cable.44 In the commercial context, the U.S. and China agreed in 2015 to halt government support for cyber theft of corporate secrets or business information.45 In crafting the treaty, the U.S. asserted the two countries would together seek “international rules of the road for appropriate conduct in cyberspace” out of a growing concern around an arms race in cyber operations and hacking.46 While not the same as submarine cable hacking, the commercial hacking détente between China and the U.S. indicates some shift in behavior around state-sponsored hacking. The international community may be heading toward a similar watershed moment for crafting treaties around submarine cable hacking given the buildout of state hacking capabilities.
Third, citizens and states are increasingly aware of hacking and intelligence gathering conducted through submarine cables. Expressions of outrage against these methods have increased accordingly. After Edward Snowden revealed the extent of spying on U.S. citizens, thousands took to the streets to protest against government surveillance.47 Human rights watch groups and the media continue to monitor and critique civilian surveillance and spying efforts, and those criticisms have only increased in recent years. The U.N. Human Rights Office of the High Commissioner has produced annual reports related to the right to privacy in the digital age and has advocated for greater recognition of the right to privacy against broad surveillance.48 As citizens, NGOs, and political bodies increasingly advocate for protections for the right to privacy, states will increasingly shift their behavior to cooperating around greater privacy protections out of fear of losing the favor of the electorate.
Fourth, cables are not capable of being monitored like other military or commercial assets. Due to their length stretching hundreds of miles in the open ocean and the number of cables traversing the sea, states would need to expend unconscionable resources to patrol for surface ships and submarines that threaten cables. While cable operators are able to observe real-time widespread disruptions in data service, sophisticated hacking agents are supposedly able to splice into submarine cables without alerting cable operators.49 To intercept cable hacking operators, a state would then need a nearby ship, or perhaps even submarine, capable of detecting and intercepting a hacking submarine. Indeed, it is difficult to fathom the resources required to patrol the 5,000 or so miles from Los Angeles to Tokyo across the Pacific for one cable let alone dozens of cables. Accordingly, spying attempts on cables are likely to succeed. NATO and British intelligence officers have acknowledged fears of Russian cable hacking in the Atlantic have grown because states cannot constantly patrol for hacking attempts.50
Because states are unable to fully patrol against submarine hacking attempts, states may want additional tools in their foreign policy toolbox to address possible hacking attempts. As the danger posed by hacking grows and because the resources required to patrol against hacking are so immense, states will need to explore alternative means to protect cables and their sensitive data, which may include recognizing liability for hacking. By recognizing grounds for liability against submarine cable hacking, states can obtain a tool for enforcement against rogue actors when the costs and benefits are in their favor.
Fifth, while the U.S., China, and Russia, among others, may want to continue participating in hacking operations, not all states participate in hacking and not all states will want to continue to allow hacking to persist on the global stage. Landlocked states and states with less robust submarine military presences do not have the same incentives to allow submarine hacking to continue because they cannot as easily participate. Further, these states may be incidentally damaged by hacking attempts against U.S. or Russian submarine cables because their information flows through those same cables to other states.51 These states may then want protections against submarine hacking regardless of whether global powers, like the U.S. and China, want the practice to continue.
The geopolitical landscape and incentives around protections against cable hacking thus appear to be shifting. Accordingly, this Comment turns to international public law as a potential way to curb hacking behavior. In the following Section, this Comment examines the protections currently afforded to cables under public international law. Subsequently, this Comment evaluates current scholarly thought on solutions within the public international legal system before proposing a novel solution to the problem of submarine cable hacking.
IV. International Laws Regulating Submarine Cables
A. The 1884 Convention for the Protection of Submarine Telegraph Cables
International protections for submarine cables began, surprisingly enough, in the 1880s with the dawn of undersea telegraph wires. Due to threats from fishermen and pirates who accidentally or intentionally severed telegraph cables,52 27 states joined together to create the 1884 Convention for the Protection of Submarine Telegraph Cables.53 Principally, the 1884 Convention was designed to protect cables against willful or negligent damage to cables that may interrupt or obstruct telegraph signals.54
The 1884 Convention, however, was limited in scope and application. Rather than develop a comprehensive international court to handle submarine cable disputes or violations of the convention, the 1884 Convention required states to create their own national regulations to protect submarine cables.55 Many signatory states, such as Canada, never implemented national laws in accordance with the Convention. Other participating states, like China, never signed the Convention and similarly have not developed comprehensive domestic laws in accordance with the Convention’s requirements.56 Where states did implement domestic laws under their Convention obligations, those protections were generally piecemeal and weak. For example, the U.S. enacted the 1888 Submarine Cable Act57 in response to the 1884 Convention, but fines under the statute are so small the U.S. Coast Guard does not pursue violators. There is not a single record of a criminal charge under the statute and civil fines are capped at $5,000.58
The signing countries in 1884 could not have anticipated the emergence of internet submarine cables or hacking into these cables to pilfer vital information. The 1884 Convention, however, may offer some recourse for this sort of misbehavior. Article II provides it is a punishable offense to “break or injure a submarine cable, willfully or by culpable negligence, in such manner as might interrupt or obstruct telegraphic communication.”59 Splicing or tapping into submarine cables requires some damage to the cable and some degree of service interruption to intercept transmitted data. Article II may then apply to submarine cable hacking.
Nevertheless, the 1884 Convention may be limited in its protective ability. First, the Convention requires states to implement domestic regimes protecting cables. Because domestic jurisdiction over foreign nationals is limited, especially on the high seas as will be discussed, these protections are limited in reach. Further, because Article II is limited solely to “telegraphic wires,” it is not clear whether damage to submarine internet cables portends liability under the Convention. While many modern cables have the ability to transmit telegraphs, most are fiber optic cables and therefore may be outside the convention’s scope. And unlike subsequent conventions, the 1884 Convention did not create a tribunal or dispute resolution body to handle these issues. States then are reliant on other states’ domestic regulations for protecting submarine cables. Regardless of its limited applicability to hacking, however, the 1884 Convention pioneered protections for submarine cables, the spirt of which have since been largely incorporated in modern treaties dealing with the high seas.
B. Intermediary Treaties and the U.N. Convention on the Law of the Sea
Following the 1884 Convention, the international community incorporated further protections for submarine cables in broader treaties related to the high seas. In 1958, the Geneva Conventions on the Continental Shelf and the 1958 Convention on the High Seas incorporated portions of the 1884 Convention. Namely, protections of cables from willful or culpably negligent damage and indemnification obligations for other cable owners were incorporated in these later conventions from the 1884 Convention.60
Notably, the 1958 High Seas Convention additionally codified the freedom to lay cables as a high seas freedom, expanding the protections offered by the 1884 Convention.61 Specifically, Article II holds “the high seas being open to all nations, no State may validly purport to subject any part of them to its sovereignty” and the “freedom to lay submarine cables” is one such recognized right.62 Article XXVI further affirms “States shall be entitled to lay submarine cables and pipelines on the bed of the high seas.”63 This Convention also introduced more limited rights on the continental shelf and territorial waters, a distinction to be discussed at length.64 This Convention was the first to establish a general freedom to lay submarine cables which has become central to modern treaty obligations with respect to submarine cables.
Following these intermediary conventions, in 1982 the U.N. Convention on the Law of the Sea (UNCLOS), the contemporary convention for the law of the sea, was created.65 UNCLOS was devised over extensive negotiations to replace the 1958 conventions with a more comprehensive framework of laws and obligations.66 Generally speaking, UNCLOS divides the seas into three sections, each corresponding to distinct rights and duties of states: territorial seas, the exclusive economic zones (EEZ) and continental shelves, and the high seas. UNCLOS incorporated many of the same rights and duties with respect to submarine cables as the 1884 Convention and the 1958 conventions. To understand the rights of states under UNCLOS, this Comment will review states’ rights with respect to submarine cables in each of these three territorial zones.
A state’s territorial seas are the sea, including its bed and subsoil, for the area up to 12 miles from a state’s shores.67 States maintain sovereignty over the territorial sea and can impose their own laws over this area, including with respect to submarine cables.68 If foreign actors break the coastal state’s laws in its territorial waters, those actors would be subject to the coastal state’s jurisdiction under UNCLOS. If a foreign state hacked into or damaged the coastal state’s submarine cables within its territorial waters, those foreign hackers would be subject to the coastal state’s laws against submarine cable hacking or damage to submarine cables. For this reason, among others, states do not engage in hacking in other states’ territorial waters. Even if they did, however, most states have not crafted any protections or regulations on submarine cables within their territorial waters.69 Where states have crafted protections for intentional or negligent damage to cables, those protections are rarely enforced and are often quite weak.70
In the second zone, coastal states can claim the EEZ and continental shelf up to 200 nautical miles past the borders of the state’s territorial seas.71 The delimiting of the precise boundaries of this zone is somewhat complicated however.72 Within this area, states enjoy certain rights to exploit natural resources or explore.73 Regardless of these rights, other states maintain general rights to “other internationally lawful uses of the seas related to those freedoms” which can extend to submarine cables.74 UNCLOS also extends particular freedoms around submarine cables including the ability to lay submarine cables and pipelines.75 While not explicitly mentioned, this freedom likely also includes the ability to operate, repair, and inspect previously laid submarine cables.76
States, however, do not have unfettered access to the EEZ and the continental shelf in the name of cable installation or repair. UNCLOS requires states exercising these rights to “comply with the laws and regulations adopted by the coastal State in accordance with the provisions of this Convention and other rules of international law.”77 While this language is broad, this allowance permits coastal states to restrict foreign states’ activities in furtherance of their right to exploit natural resources in the EEZ or continental shelf or their right to explore the area. In practice, however, this allowance is largely curtailed, and states broadly enjoy States therefore broadly enjoy the freedom to lay submarine cables in the EEZ.
UNCLOS provides similar protections for submarine cables in the EEZ as in territorial waters, though jurisdiction is less clear. Again, similar to territorial waters, while states are required to “adopt the laws and regulations necessary to provide that the breaking or injury by a ship flying its flag or by a person subject to its jurisdiction of a submarine cable beneath the high seas done willfully or through culpable negligence… be a punishable offense,”78 most states have not done so.79 Unlike territorial waters, however, coastal states’ regulations in the EEZ or the continental shelf do not apply to foreign nationals who intentionally break or damage cables.80 This means states in the EEZ and the continental shelf can only hold their own citizens that injure cables liable under their domestic laws. While some states have made novel legal arguments about submarine cables as being in a protected zone of exploitation,81 the majority of states accept domestic jurisdiction does not extend to cables in the EEZ.82 In the instance of hacking, this would mean coastal states could only address domestic hackers, which, while potentially useful for private actors, does not likely apply to the majority of hacking incidents, which are largely committed by foreign governments.
The high seas are the third zone described by UNCLOS. The high seas are defined as “all parts of the sea that are not included in the exclusive economic zone, in the territorial sea or in the internal waters of a State, or in the archipelagic waters of an archipelagic State.”83 The high seas are canonically regarded as beyond the reach of states’ national jurisdiction.84 Accordingly, the high seas are the largest sea area and do not offer any domestic protections against hacking attempts.
The high seas, although beyond the reach of any state, are subject to applicable international treaties including UNCLOS. Broadly, the high seas are reserved for “peaceful purposes.”85 If hacking was considered an act of aggression, states would not enjoy that freedom on the high seas. Similarly, acts considered illegal under international treaties or conventions, like slave trading for example, would not be a permissible use of the high seas. Presently, as discussed in Section V, submarine cable hacking is considered a peaceful activity and not illegal under any international convention.
UNCLOS does not offer many protections for submarine cables on the high seas. Under UNCLOS, states maintain the freedom to lay submarine cables86 but must exercise this freedom in recognition of other states’ exercise of high seas freedoms.87 Similar to requirements for the EEZ, states are obligated under UNCLOS to craft laws and regulations that require their citizens to compensate cable owners for damage they caused to cables or pipelines.88 Many states have not designed laws to meet this obligation and those that have generally involve paltry compensatory payments.89 Again, like the EEZ, these regulations would not extend to foreign nationals on the high seas under UNCLOS.
Unlike the 1884 Convention, UNCLOS included a dispute resolution framework for conflicts between states. The International Tribunal for the Law of the Sea (ITLOS) serves as a binding dispute resolution mechanism where states are unable to reach a peaceful settlement. ITLOS has jurisdiction over “any dispute concerning the interpretation or application of this Convention which is submitted to it in accordance with this Part” including failing to comply with convention obligations.90 Where states have not implemented their treaty obligations, ITLOS can compel states to specifically perform or craft regulations under their UNCLOS requirements.
States are able to select ITLOS for the settlement of disputes at any time through means of written declaration;91 however, states must fully exhaust domestic remedies before applying for resolution through ITLOS.92 Therefore, if a foreign state hacks into a state’s submarine cable in its territorial waters, the injured state must seek liability under its domestic laws first where available.
ITLOS can apply the international law under UNCLOS or “other rules of international law not incompatible with this Convention.”93 This extends to other human rights treaties or accepted international conventions. Generally, ITLOS handles cases involving foreign sailors held without cause,94 but the Tribunal has exerted its jurisdiction over any number of maritime issues.95 As discussed in Section VII, ITLOS may be a useful vehicle for arbitrating disputes between states around submarine cable hacking and the international right to privacy.
Because UNCLOS does not offer explicit protections for cables from hacking on the high seas, the puzzle then is how to create enforcement mechanisms and norms against hacking. Because domestic jurisdiction can only be asserted in territorial waters and most states do not have robust domestic laws, trying to enforce cable protections through national laws seems impractical. Indeed, as will be discussed, scholars have consistently decried the absence of domestic protections for submarine cables. In the following Section, this Comment will explore whether other conventions in international law, rather than solely the laws of the sea, protect against submarine cable hacking. This Comment then explores possible solutions to this problem of liability using ITLOS as a possible avenue for liability.
V. International Norms With Respect to Hacking
This Section describes the international conventions and framework with respect to cyber operations and hacking. Generally, hacking and cyber surveillance are regarded as peacetime activities and are not limited by any international treaties or conventions. The methods employed in pursuit of these goals, however, may be deemed problematic by various conventions. This Section explores the limits of hacking techniques and cyber surveillance and discusses how shifting norms around the right to privacy may change international consensus on the viability of some surveillance tactics.
At present, there is no international framework for hacking offenses or cyber operations. While previous conventions like the Budapest Convention on Cybercrime96 tried to harmonize national laws with respect to cyber operations and provide for mutual assistance in investigating and prosecuting cyber operations,97 there is no international legal framework for cyber offenses or hacking.98
In response to lacking a global framework, a group of preeminent international law scholars and practitioners created the Tallinn Manual99 to describe the legal norms and regulations around cyber operations and hacking.100 The Tallinn Manual is not an international convention and is not binding. Rather, the document serves as an expression of opinion of various experts versed in these topics. Accordingly, it should be considered a reflection of the law at the time of writing and not a limiting or normative statement of the law. The Tallinn Manual is also limited in scope and incorporates public, but not private or domestic, international law.101 The document, however, can provide a general insight into how the international community views current restrictions on cyber operations on the high seas and whether hacking is indeed a “peaceful use” of international waters.
A. General Cyber Operations on the High Seas
According to the Tallinn Manual, the primary basis for liability for cyber activities is territorial. Much like a state has jurisdiction over damage to cables in its territorial seas, states have jurisdiction over cyber activities or hacking that occur within their territory or their territorial waters.102 The experts note tapping a state’s submarine cables in its territorial waters violated its sovereignty.103 States then have jurisdiction over hacking attempts within their territorial waters.
Tapping or hacking activities outside of a state’s territorial waters do not offer the same legal recourse. Like cable damage under UNCLOS, the EEZ and the continental shelf is subject to a complicated legal framework for cyber operations jurisdiction. Generally, if cyber operations are carried out for “peaceful purposes” and maintain “due regard to that State’s rights and duties in the zone,” they are permitted in the EEZ.104 And so long as these operations do not violate “other international legal norms… governing the circumstances,” they do not constitute a violation of state sovereignty in the EEZ.105 Hacking therefore in the EEZ, when it does not violate other international legal norms, is permissible.
On the high seas, states have even fewer rights or protections against hacking. Cable hacking attempts on the high seas do not constitute a violation of the hacked state’s sovereignty.106 Indeed, background intelligence gathering on the high seas during peacetime has long been considered legal without much debate in the international community.107 While hacking or tapping constitute more invasive techniques than radio or sonar surveillance, which have both been long accepted, most scholars believe there is no difference by conducting more “active” intelligence gathering via hacking.108 As in the EEZ, however, human rights violations that occur during cyber operations on the high seas are not permissible according to the Tallinn Manual.
As typified by the above, norms around cyber operations have either not solidified or are highly permissive of cyber operations on the high seas. Because these norms are absent, there is insufficient state practice and public international law to conclude cyber espionage is per se banned.109 Experts, however, agree that cyber operations or hacking may be carried out in a manner that is unlawful.110 Accordingly, this Comment turns to the consequences of hacking and review whether or not these effects may constitute some form of illegal or prohibited activity under public international law.
B. Incidental Effects of Submarine Cable Hacking: Cable Damage
One incidental effect of submarine cable hacking is damage to the submarine cables as a result of splicing into the cable or damaging the cable in the installation of surveillance devices. As noted above, UNCLOS mandates states craft laws to hold their citizens liable for intentional or negligent damage to submarine cables. These laws, however, are limited in jurisdiction to territorial waters. Experts notably have split as to whether the mere act of tapping cables that results in damage renders it a violation of public international law regardless of location.111 The majority of experts agreed states engage in these activities at their own risk and can incur liability for incidental damage. Separately, a handful of experts argued that unforeseeable damage from tapping operations would not incur liability. These experts note there is no settled case law as to whether incidental damage from cyber operations would be deemed foreseeable or intentional.112
This question of liability for damage is nonetheless important. By being able to hold foreign states liable for damage incurred as a result of hacking, states can shift the cost-benefit calculus of hacking attempts by requesting damages. While this may not wholly eliminate submarine cable hacking, potential liability for damage may reduce overall hacking activity levels. It typically costs millions of dollars to repair damage to the actual cable.113 The economic costs associated with a down cable are hard to estimate but the losses can be extraordinary. Somalia lost internet access for three weeks due to cable damage at a cost of $130 million.114 Even without a total internet outage, increased bandwidth demand and slower data speed as a result of cable interference can wreak huge productivity losses. If a state was held liable for repair costs, or lost productivity, the possible costs associated with hacking would rise and overall hacking activity levels may fall in turn.
C. Incidental Effects of Submarine Cable Hacking: Violations of the International Right to Privacy
A second incidental effect of submarine cable hacking is the violation of citizens’ privacy by harvesting electronic data. Because hacking operators cannot control what data they siphon off, hackers will inevitably intercept citizens’ private communications and data in their operations, unless the cable is a dedicated military cable. This violation of privacy is significant because, as the Tallinn Manual experts noted, cyber operations may not be conducted in an unlawful manner.115 While controversial, the international right to privacy would likely be violated by these operations. Accordingly, this Comment next reviews the international right to privacy, its implications for submarine hacking, and the debate around its scope.
A number of conventions have enumerated an international right to privacy.116 The Universal Declaration of Human Rights introduced this principle in Article 12 that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.”117 The International Covenant on Civil and Political Rights (ICCPR) enumerated this right in Article 17 that “no one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence.”118 At its core, this right protects a “private sphere” of autonomous liberty and development that cannot be intruded on without permission by state actors, individuals, or corporations.119 This right has been extended to include protection of personal communications and data.120 The scope of this right is clear for intelligence gathering or hacking within the territory of a state. Any arbitrary electronic interception that takes place within a nation’s borders or involves that nation’s citizens violates the international right to privacy.121
The scope of this right is less clear for intelligence gathering on foreign states or foreign nationals. The U.S. has presented the most limited interpretation of the right to privacy in this context. According to the U.S., the right only attaches to citizens within a state’s territory and subject to its jurisdiction.122 Therefore, foreigners and citizens located abroad do not enjoy the right to privacy for U.S. surveillance activities. In the context of U.S. submarine cable hacking, this implies only U.S. citizens enjoy the right to privacy, and they only enjoy this right for submarine cable hacking conducted in the U.S.’s territorial waters. The majority of states in the international community hold the right is broader. According to the majority opinion, states “respect and ensure the rights laid down in the Covenant to anyone within the power or effective control of that State Party, even if not situated within the territory of the State Party.”123 While the precise contours of the ICCPR are still debated, a number of international bodies have coalesced around the principle that a state’s obligations are maintained for foreigners and citizens alike.124 Under this interpretation, citizens enjoy the right to privacy for submarine cable hacking regardless of where the hacking takes place or what state conducts the hacking.
The debate around the scope of this right centers on whether a state exercises “effective control” over a person or territory in determining jurisdiction. As discussed earlier, the high seas are beyond the territorial reach of any particular state. Therefore, questions of “effective control” become more pressing as scholars consider whether a state exercises effective control over cyberspace through cables located on the high seas. This question is hotly debated. Some scholars have noted limiting effective control to solely physical territory may result in illogical results as it is not clear where cyber communications are physically located when conducted over the internet.125 Other scholars have argued a “virtual control,” where states are liable for those citizens whose communications it has control over, is more appropriate.126 In the context of submarine cables, this may be a more appropriate approach as it would ensure the equal treatment of individuals regardless of physical location, which matches the traversing and multi-state nature of submarine cables.
An international right to privacy nevertheless remains controversial. Some scholars insist an application of a universal right to privacy may undermine domestic protections against surveillance currently in place.127 These scholars argue a more universal definition may reduce the obligations afforded domestic citizens under current cyber privacy laws.128 Other scholars have argued the right to privacy is socially defined and therefore changes from context to context or society to society.129 Accordingly, the scope of the right at issue may not extend to protections against state surveillance for defense purposes depending on the social definition and context.
Regardless of the ongoing debate, the recognition and scope of the right to privacy appears to be shifting, as discussed in Section III, toward a greater recognition of the right to privacy. Scholars have noted international human rights cases increasingly find states’ human rights obligations follow them in acting abroad.130 As this recognition expands, mass surveillance is increasingly considered “arbitrary” and in contravention of the ICCPR.131 In a 2015 groundbreaking case, ten U.K. NGOs filed an action with the European Court of Human Rights (ECtHR) arguing the U.K.’s mass surveillance system violated the right to privacy.132 The ECtHR agreed noting the surveillance scheme’s arbitrary intelligence collection violated the right to privacy under the European Convention on Human Rights.133 This case is significant because it specifically addressed bulk surveillance conducted through fiber optic cables.134 On appeal, the ECtHR dismissed the case for failing to seek appropriate domestic remedies.135 Nevertheless, the court’s initial ruling reflects a concerted shift in behavior toward greater privacy rights recognition. Similarly, in 2020, the Court of Justice of the European Union (CJEU) held indiscriminate government mass surveillance violated E.U. regulations for privacy and data protection.136 The CJEU held surveillance should be conducted only for what is strictly necessary for national security purposes.137 These shifts are representative of general shifts in recognition of the right to privacy.
While cooperation for developing protections and harmonization of definitions for privacy in the internet age is ongoing,138 it is apparent that the right to privacy exists and is increasingly recognized in international public law. While this Comment cannot cure all the debates around the right to privacy, the solution described in Section VII provides a novel exploration of the right to privacy in cyber space that may help advance discussions elsewhere.
VI. The Lay of the Land of Current Scholarship
This Section explores current scholarship on submarine cable protections and submarine cable hacking. This Section serves to provide context for the novelty of the solution offered in Section VII and discuss how scholars interpret currently proposed avenues for liability for submarine hacking. Scholars currently focus on protections for incidental or intentional damage to cables in order to raise the relative costs associated with hacking. Scholars, however, are pessimistic about current domestic protections toward submarine cables and generally accept submarine cable hacking as part of the international landscape. Notably, scholars have previously not used the right to privacy to frame the debate around submarine cable hacking and have not used dispute resolution mechanisms, like ITLOS, for resolving these issues.
As a summary of prior Sections, UNCLOS does not explicitly place restrictions on peacetime intelligence gathering or cyber operations on the high seas or in the EEZ. Because the high seas are not subject to any state’s domestic jurisdiction and the EEZ is subject to very limited jurisdiction, domestic laws against hacking or damage to submarine cables do not apply in these areas. Further, there is no international treaty or convention that restricts or bans cyber operations generally. Experts agree that “the bottom line is that there is no clear prohibition against the physical tapping of fiber optic cables in the EEZ [or the high seas] to be found in UNCLOS”139 or other international treaties.140
While states generally have the freedom to conduct cyber operations on the high seas, if the method of those operations violates other international treaties or laws, those methods are subject to liability.141 Scholars have therefore turned to UNCLOS Article 112 and Article 113, which describe the freedom to lay submarine cables and the obligation of states to create domestic protections for cables, as possible protections for cables.142 In their analyses, these scholars focus on incidental damage to submarine cables, the first indirect effect from cable hacking.
Scholars, however, are pessimistic about using Article 112 or Article 113 to protect submarine cables. While UNCLOS requires states to have domestic laws to punish intentional or negligent damage of undersea cables, most states have not imposed these regulations. For example, Canada does not have any legal protections for cables once laid.143 While Canadian law requires permits to lay cables and conduct periodic environmental impact reports, cable companies do not have any legal recourse under Canadian law for cables damaged by other parties. The U.N. General Assembly has even called on states to implement protections under Article 113 due to the paucity of available domestic protections against damage to cables.144
And where states do have regulations, those protections are generally weak and rarely enforced. For example, U.S. federal law states parties who intentionally damage cables are subject to a maximum fine of $5,000.145 Repair costs far exceed this figure.146 Other states similarly have weak enforcement regimes. In Australia, the penalty for intentional damage of submarine cables is AUS$2,000 or imprisonment for 12 months while the penalty for negligent damage is AUS$1,000 or imprisonment for 3 months.147 With such insignificant protections, there are few incentives for cable owners or regulators to seek enforcement. Accordingly, there are no documented instances of prosecution under either the U.S. or Australian laws.
Scholars and advocates have argued strengthening these domestic protections may offer some relief against hacking. As discussed in the previous Section, by increasing the costs associated with a hacking operation, the associated cost-benefit analysis shifts. Scholars have focused on increasing these protections in the absence of a new international framework against hacking. Tara Davenport noted Article 113 of UNCLOS would apply to damage done through cable tapping but that domestic protections against submarine cable damage are “woefully inadequate” and “not commensurate with the damage resulting from intentional interference.”148 Zoe Scanlon likewise recognized despite the “assumption underpinning UNCLOS that coastal states would recognize their clear interest in protecting submarine cables,” most states have not enacted legislation protecting cables.149 This contributes to an ineffective legal regime against cable damage and hacking.
While there is some appetite for bolstering domestic protections,150 doing so is an incomplete solution. First, the associated penalties would have to be severe in order to change the calculus of hacking states and compensate the injured cable owners. High penalties, however, may result in expensive liability for negligent, non-hacking agents like ship owners who incidentally drop anchor on a cable—the most common cable injury.151 High penalties may also incentivize states to cheat by refusing to pay damages or prosecute their citizens. Further, these domestic regulations could only assert jurisdiction over the citizens and ships of the regulating state or in offenses committed in its territorial waters. While hacking is easiest closest to land,152 the activities at issue most often do not occur in territorial waters and most commonly involve foreign actors or states as discussed in Section II.
Scholars, in recognition of these weaknesses, have generally accepted submarine cable hacking as part of the international landscape until further protections can be crafted or norms around cyber operations crystallize against mass surveillance.153 Scholars, however, have overlooked the second indirect effect of cyber operations on submarine cables: privacy violations. The following section offers a novel solution to the problem of submarine cable hacking by combining the dispute resolution framework under UNCLOS with other sources of public international law using privacy as grounds for liability.
VII. Using ITLOS to Trigger Dispute Resolution: Damage and Privacy Solutions for Hacking
This Section describes the novel solution offered by this Comment with respect to submarine cable hacking. The Section first describes how the binding dispute resolution system under the International Tribunal for the Law of the Sea (ITLOS) likely has jurisdiction over submarine hacking attempts. This Section further argues, contrary to prior scholarly work, the lack of domestic protections for submarine cable hacking benefits the creation of international norms and a regime against cable hacking. This Section then proposes two solutions using ITLOS. First, ITLOS can be used to create an international regime protecting against submarine cable damage. This in turn raises the costs of submarine cable hacking and may lower hacking activity levels. Second, ITLOS can serve as a forum to argue hacking violates the international right to privacy and therefore should not be permitted even on the high seas. This analysis of the right to privacy with respect to submarine cables is novel in current scholarship and contributes to the ongoing debate about the limits of bulk surveillance collection and surveillance protections generally.
A. Jurisdiction Under ITLOS
As a preliminary matter, ITLOS likely has jurisdiction over alleged submarine hacking disputes. As referenced above, under UNCLOS, ITLOS serves as a dispute resolution mechanism between states. The jurisdiction of ITLOS is broad, encompassing “all disputes and all applications submitted to it in accordance with [UNCLOS].”154 To confer jurisdiction, therefore, states must have a viable link between hacking attempts and UNCLOS.
Under UNCLOS Articles 112 and 113, states have two arguments as to why ITLOS has jurisdiction over submarine cable hacking. First, states can use ITLOS for dispute resolution where other states are not abiding by their obligations to UNCLOS. Article 113 provides states must adopt laws and regulations to punish “breaking or injury” of submarine cables on the high seas “in such a manner as to be liable to interrupt or obstruct telegraphic or telephonic communications.”155 States therefore must create domestic liability schemes to hold its citizens liable for damage to or interruption of submarine cables on the high seas. If, for example, a state has not met its UNCLOS Article 113 obligations to have domestic regulations and a foreign state’s cable is damaged, the foreign state can invoke ITLOS to determine the breaching state’s cable liability. Generally, disputes between states about how to handle cable damage would sufficiently link to UNCLOS to confer jurisdiction.156
Second, states can present arguments that protections for cables under UNCLOS are broader than the right to merely lay cables. Article 112 codifies the right for all states “to lay submarine cables and pipelines on the bed of the high seas beyond the continental shelf.”157 While not stated, it can be assumed states have the freedom to operate these cables on the high seas. If a foreign state were to violate this assumed right of operation, through hacking or cable signal disruption, an injured state may then have grounds for liability under UNCLOS. ITLOS would be a suitable body to address the violation of this right because the tribunal adjudicates the rights and responsibilities of states on the high seas.
Even if Articles 112 and 113 are not compelling enough to justify jurisdiction, ITLOS also has jurisdiction over “any dispute concerning the interpretation or application of an international agreement related to the purposes of [UNCLOS].”158 This broad language allows ITLOS to exert jurisdiction over any international treaty that affects or interacts with UNCLOS. While broad, ITLOS usually declines, however, jurisdiction absent some connection to the high seas or a subject matter of UNCLOS. Scholars have noted the specialized nature of ITLOS means the “subject matter of any agreement providing for jurisdiction of ITLOS would probably relate closely to the law of the sea, given the expertise of the judges of ITLOS.”159
For example, in a case involving detained sailors, ITLOS asserted international human rights under other international conventions were at issue. Plaintiffs, however, had to first assert a jurisdictional link to these rights by noting that the detention that led to these violations was sanctioned under UNCLOS.160 Similarly, Italy invoked the ICCPR in its complaint to ITLOS to free Italian sailors detained by the Indian government. Italy did not invoke a stand-alone argument for release under the ICCPR but rather paired it with UNCLOS provisions against “prejudice.”161 States can similarly invoke ITLOS to clarify the obligations of states to the international right to privacy, as articulated by a number of international conventions, with respect to UNCLOS. States should then be able to obtain ITLOS jurisdiction under this more general human rights framework.
Before reaching these questions of ITLOS jurisdiction, however, ITLOS may only resolve disputes under UNCLOS “after local remedies have been exhausted where this is required by international law.”162 Subsequently, states subject to hacking must have exhausted domestic remedies before looking to ITLOS. As mentioned above, scholars have frequently noted the paucity of domestic regulations against submarine cable hacking. Many states have not implemented any domestic regulations concerning submarine cable damage, let alone hacking.163 And where those domestic protections do exist, they are often weak relative to the potential damage done by hacking attempts to a cable’s constitution.164 Because domestic protections are not typically available or are insufficient where they are available, states have generally exhausted all domestic remedies.165
And while scholars have criticized the weakness of these domestic protections and frequently recommended instituting stronger domestic regulations, the absence of these regulations actually strengthens the argument for jurisdiction under ITLOS. If domestic regulations were available, states would be obligated to pursue liability under those regulations. Because states have not implemented these regulations or have incredibly weak domestic protections, this domestic remedy is likely not available.166 Because states have therefore not complied with their requirements under UNCLOS, ITLOS has a strong case for jurisdiction as the appropriate body to handle disputes associated with these unfulfilled obligations. In this respect, the overwhelming weakness of domestic protections actually benefits states in arguing for jurisdiction before ITLOS. This observation is in contravention to scholars’ criticism of domestic cable protections.167
Once jurisdiction has been established, states can then turn to the two indirect effects of hacking—cable damage and violations of the right to privacy— to seek liability against hacking states.
B. Using ITLOS to Protect Against Cable Damage
States can use ITLOS to protect against hacking by enforcing liability for damages incurred from hacking. Using Articles 112 and 113 of UNCLOS, injured states can argue the offending states are not abiding by their UNCLOS requirements to create a domestic regime to punish cable damagers. Injured states can further argue offending states violate the freedom to lay and operate submarine cables. In the first instance, an injured state may use ITLOS to force the offending state to punish its wrongdoers under its own domestic jurisdiction. ITLOS can bind states to craft and administer regimes protecting cables against damage by their citizens. This may in turn increase prospective economic costs of hacking and reduce overall hacking activity levels. While states may have an incentive to cheat, the political costs from breaking with its required enforcement regime will only increase under a binding dispute resolution order from ITLOS.
States can further argue domestic protections as required under UNCLOS may not wholly protect this articulated right. If the cost of damage to cables is so expensive168 and the economic value of internet access is so great,169 states can argue the domestic regimes formulated and required under UNCLOS may not adequately protect their rights to be free from damage or interference. Accordingly, states may argue ITLOS should assert some damages or compensation requirement for intentional damage to cables from hacking.
In the second instance, states may argue the freedom to lay and operate cables under UNCLOS extends to protections against interference by foreign states on the high seas. While UNCLOS only protects against “damage” to cables,170 states can reasonably argue the UNCLOS protections are an outgrowth of a history of protecting general use and operation of cables. Because the 1884 Convention protected against interference of cable operation, which was subsequently codified in the intervening conventions, states can reasonably claim UNCLOS’s more general cable freedoms extend to freedom from arbitrary interference by foreign states. Because hacking interferes with a cable’s signal and likely requires repair by the operator, states can then argue hacking falls under this sphere of prohibited activities.
ITLOS would likely be receptive to this argument. ITLOS has a history of extending greater protections to states than is precisely articulated in the language of UNCLOS. In MV/Saiga, ITLOS held Guinea violated the prohibition against the excessive use of force in detaining ships, although prohibitions against the excessive use of force are not expressly articulated by UNCLOS.171 And in Guyana v. Suriname, ITLOS held Suriname used unlawful force against a Canadian vessel licensed by Guyana even without a prohibition on the use of force against foreign vessels under UNCLOS.172 These cases indicate ITLOS’s willingness to extend more general international law protections beyond UNCLOS. These cases further demonstrate ITLOS is willing to extend protections to states beyond the text of UNCLOS using the history and subtext of the treaty. Accordingly, ITLOS may be receptive to the argument that freedom from damage or interference has long been historically recognized.
This solution is novel as it resolves the lack of enforcement mechanism scholars criticized by scholars with respect to domestic cable regimes. Because ITLOS can require states to abide by their treaty obligations, ITLOS can then mandate states create domestic regulations to protect cables. Further, this solution allows ITLOS to hear arguments about more general freedoms related to submarine cable use. Because ITLOS can hear arguments related to other binding treaties and agreements,173 states can argue the 1884 Convention or intervening law of the sea conventions established the freedom to lay and operate cables includes freedom from unnecessary cable interference.
This solution carries with it a handful of potential caveats. First, ITLOS will most likely require the offending country to hold violators domestically liable. This follows because Articles 112 and 113 of UNCLOS only require a domestic cable protection scheme. The offending country is likely to impose minimal penalties or elect not to impose penalties. This strategy may then not raise costs associated with hacking to lower overall activity levels. This outcome, however, does not fully undermine the solution described above. If countries’ domestic regimes continue to be weak or weakly enforced, ITLOS is more likely to extend greater protections to cables than are required under UNCLOS. This would be similar to the extension of greater rights than necessary in Guyana v. Suriname.174 Further, continued refusal to hold violators domestically liable will cause ITLOS to hold contravening states accountable for failing to uphold their UNCLOS responsibilities. This may in turn increase the costs associated with hacking and lower activity levels.
Second, arguments about more general rights to cable protections, such as the freedom of cable operation, may be weak because not many states signed onto the 1884 Convention or the intervening conventions of the laws of the sea. Without a convention to point to, ITLOS would then be relying on general norms of international law in creating a liability regime for cable damage. ITLOS may be reticent to do that for fear of overstepping its bounds and of countries not participating in dispute resolution. Once such refusal occurred in Arctic Sunrise when Russia refused to appear in front of ITLOS.175
Third, not all hacking attempts end in damage to submarine cables. If a cable was not damaged during a hacking attempt, this regime may not apply. Accordingly, states must turn to other norms or rights to protect against submarine hacking. The following Section presents a solution to submarine cable hacking that centers on the right to privacy and does not rely on damage to the underlying cable to provide liability.
C. Using ITLOS to Protect Against Violations of the Right to Privacy
States can also use ITLOS to pursue violations to the international right to privacy committed by hacking. ITLOS is able to apply UNCLOS law and “other rules of international law not incompatible with” UNCLOS including the Universal Declaration of Human Rights and the ICCPR.176 States subject to hacking can use these conventions and other international human rights to argue against hacking once they have jurisdiction under ITLOS.
States can argue hacking contravenes the right to privacy embedded in numerous human rights treaties. As discussed in Section V, citizens enjoy a right to privacy under many international conventions. ITLOS can enforce violations of the ICCPR and other treaties as they relate to the right to privacy. While submarine cable hackers may be attempting to access sensitive government information, the hacking of undersea cables almost inevitably includes access to private citizens’ internet traffic because states cannot pick and choose what information they obtain.177 Such a broad sweeping may therefore be considered “arbitrary” and in contravention of the international right to privacy.
While litigation around the right to privacy is relatively new, there is a trend among international bodies toward recognizing a universal right to privacy. As discussed in Section V, the ECtHR previously held the U.K.’s bulk surveillance program through fiber optic cables violated the right to privacy but subsequently dismissed the case on appeal for failure to pursue all domestic remedies.178 In October 2020, the CJEU held indiscriminate mass surveillance violated E.U. privacy and data protections.179 And the German Constitutional Court held Germany’s constitutional protections against indiscriminate surveillance and data collection extended to foreigners living abroad.180 Beyond these court rulings, the International Court of Justice (ICJ) has affirmed the rights under the Universal Declaration of Human Rights and the ICCPR apply globally.181 And while the ICJ has not affirmed a right to privacy against all indiscriminate surveillance, the Court did not denounce such an argument in two prior cases involving surveillance on private communications.182 This matches a trend in international bodies toward greater recognition of the right to privacy in recent years.183
Rights under the ICCPR and the Universal Declaration of Human Rights have previously been protected by ITLOS.184 While ITLOS has not taken on cases involving privacy, ITLOS precedent indicates a keen and demonstrated interest in protecting other human rights outside of those codified by UNCLOS. For example, ITLOS in its 1999 MV Saiga Nr. 2 judgment,185 for a case involving seized vessels, referred to “considerations of humanity” that “must apply to the Law of the Sea as they do in other areas of international law.”186 The ITLOS decisions in Arctic Sunrise and Enrica Lexie further indicate an increasing willingness by ITLOS to consider human rights concerns, either implicitly in the case of Enrica Lexie or explicitly as in Arctic Sunrise.187
These cases demonstrate “a pattern of increased willingness on the part of States to invoke (universal) human rights instruments (i.e., the ICCPR)—and, in this case, even the views of human rights bodies (i.e., the Human Rights Committee) — in provisional measures proceedings before ITLOS.”188 Scholars have observed ITLOS increasingly incorporates “considerations of humanity” in its decision-making.189 And, as discussed in Section V, the international right to privacy would fall into such considerations.
ITLOS is further likely to invoke the right to privacy under the ICCPR or the Universal Declaration of Human Rights because privacy is so closely linked to the subject of the proceeding on the merits. ITLOS requires “the relief sought (and the rights to be protected by the relief) must be closely related to the rights subject to the proceedings on the merits.”190 The freedom to lay cables under UNCLOS impugns some respect for those cables, their use, and their content. Because hacking violates the use and content of these cables, the right to privacy seems closely associated with hacking and capable of being invoked in proceedings.
This solution is novel for a handful of reasons. First, this solution uses a supposed weakness in international protections for submarine cables—lack of domestic protections— as the jurisdictional hook for liability. Although scholars have critiqued the weakness of these regimes,191 the lack of an effective or a largely weak framework is actually a strength in creating a secondary method to pursue violators. Further, if domestic protections were stronger, ITLOS complaints may be superseded by domestic and local remedies. Because domestic remedies are limited in application and minimal at best, the dispute resolution system offered by ITLOS has broader application and ability to impose necessary penalties.
Second, this solution avoids questions of the peacetime legitimacy of state intelligence gathering more generally. As discussed in the Tallinn Manual, cyber operations may not be conducted in an unlawful manner.192 If submarine cable hacking is considered a violation of the international right to privacy, this particular method of collecting surveillance would be deemed unlawful. States still preserve the ability to gather intelligence or surveillance through other, less arbitrary, means. This solution is therefore more tailored than other debates around peacetime intelligence gathering writ large.
While a novel method of solution, the use of ITLOS to make claims against the international right to privacy is not without caveats. While the caveats discussed below are not fatal to the solution described, they do present questions about the potential scope of the solution asserted and how controversies around the international right to privacy and international legal obligations generally bleed into the conversation around submarine cables.
First, not all states are signatories to UNCLOS or the human rights conventions that describe the international right to privacy. Prominently, for example, the U.S. has not ratified its participation in UNCLOS, although it is a signatory.193 While making some claims against other states under UNCLOS, it is not clear the U.S. can invoke UNCLOS or be subject to liability under UNCLOS for claims made by other states.194 Non-signatory parties could voluntarily agree to arbitration under ITLOS but doing so does not seem to be in their rational self-interest. Because not all states are then bound to ITLOS as a dispute resolution mechanism, the solution offered above may not be universal in application.
Second, even if a decision is binding, it is not clear how ITLOS would enforce its arbitration decisions if parties do not comply.195 For example, in the Arctic Sunrise arbitration, Russia refused to appear before ITLOS or abide by the tribunal’s ruling.196 ITLOS does not have a security force to implement rulings and does not have the ability to levy sanctions or restrict access to seaways if states do not comply with their rulings. States would therefore still need to consent to whatever ruling ITLOS makes, even if their rulings are technically “binding.” This critique, however, could likely be levied with any international legal enforcement mechanism as truly bad actors can continue to evade judgments.
Third, if the injured state and the hacking state have reasonably robust domestic cable protection schemes, ITLOS may not have jurisdiction. As discussed above, ITLOS requires states to exercise local remedies before appealing to ITLOS for dispute resolution. If the offending state has domestic protections, the injured state can appeal to that state to subject the offenders to domestic protections. This would result in the offending state being responsible for enforcing a regime which its citizens, and quite probably state agents, have violated. The incentives for the offending state to do so are minimal.
This possibility, however, is not fatal to the above solution mechanism. States can still appeal to UNCLOS for greater clarity for states’ responsibilities for cable protections on the high seas under Articles 112 and 113 of UNCLOS. States can further dispute the domestic proceedings as insufficient to compensate the injured party for potential cable damage or the stolen information. And states can likely still make claims related to the international right to privacy not addressed by domestic protections. While this last claim may raise issues around whether ITLOS is the proper body to hear these complaints, because the conduct occurs at sea, ITLOS still has a viable claim to jurisdiction.
Fourth, relatedly, the most probable avenue to obtain jurisdiction under ITLOS involves damage to submarine cables as a result of hacking. If hacking technologies are sufficiently sophisticated, they may cause no harm to submarine cables. Accordingly, states would need to develop alternative reasons to obtain ITLOS jurisdiction. As discussed above, states can argue for dispute resolution for interfering with cable operation under Articles 112 or 113. More generally, states can argue ITLOS’s broad jurisdiction gives them standing, but this also seems weak.
Alternatively, states can make claims using the more general wording of the 1884 Convention. The 1884 Convention prevents “interference” with telegraph cables. Because hacking necessarily involves some degree of signal interference of fiber optic cables, hacking would likely fall into this broader “interference” category. And because the 1884 Convention does not have a body for dispute resolution related to obligations under the Convention, states can reasonably argue ITLOS is the most proper forum to hear disputes.
This argument does not guarantee jurisdiction either. Foremost, the 1884 Convention addresses telegraph cables. While it seems reasonable to extend these protections to fiber optic or internet cables given the spirit of the Convention, the 1884 Convention is then limited in scope. Further, “interference” is harder to prove as compared to external damage to cables in hacking attempts. It is more difficult for signal operators to observe momentary gaps in service as compared to external cable damage, and maintaining a record showing this interference is both costly and difficult. Additionally, not many states are parties to the 1884 Convention as compared to UNCLOS. While many of the power players likely to engage in hacking are parties to both, including Russia and the U.K., some states are parties only to UNCLOS, like China, or party only to the 1884 Convention, like the U.S. Finally, the 1884 Convention, like UNCLOS, only presents obligations for states to create domestic protective schemes for submarine cables. The 1884 Convention does not have any enforcement mechanisms against this bad behavior which makes ITLOS’s jurisdiction more specious. And claims related to U.N. human rights obligations using the 1884 Convention to confer jurisdiction seem weak.
Fifth, claims of the right to privacy are relatively novel for international courts and the limits of this right have not been clearly defined. ITLOS, in turn, may not make sweeping decisions related to hacking for these types of cases without further clarity on the scope of the right to privacy. ITLOS may instead resolve the dispute by requiring greater compensatory damages or greater domestic protections for damage to cables without resolving the issue of hacking. This result may incidentally reduce hacking by raising the possible costs associated with hacking attempts, but states may still find the possible damages as reasonable to the perceived intelligence gains from hacking. Accordingly, privacy suits may need to wait for greater international consensus on the limits of the right to privacy.
This solution, however, can build on changing norms around the right to privacy. As discussed in Section V, the international right to privacy is increasingly recognized on the global stage. This solution presents novel questions within this ongoing debate. The recognition of the right to privacy depends largely on “effective control” of the persons or territory involved in the surveillance.197 Submarine cables present novel questions around this effective control as it is nearly certain that at least some of a state’s citizens’ communications will be obtained through a submarine cable hack. Is this incidental acquisition enough to violate standards against countries surveilling their own citizens arbitrarily?
Further, submarine cables are simultaneously a protected and necessary state resource and located on the high seas. Cables may then be a useful framing to consider how much control and sovereignty states have over their cyber space. Are cables more like physical territory or more like ephemeral cyber space in considering sovereignty and does the distinction ultimately matter with respect to privacy rights? This Comment is unable to answer these questions fully, but the Comment’s solution opens novel avenues for argument around these themes and may help advance the dialogue with respect to privacy rights.
Sixth, some states may not want to pursue creating a regime against submarine cable hacking. As discussed in Section II, many global powers, including the U.S., China, the U.K., and Russia, engage in submarine cable hacking. States, particularly those with robust submarine military presences, may want to preserve the ability to surveil other states using submarine cable hacking. These states would therefore not invoke ITLOS or the right to privacy against submarine cable hacking. This may be a particularly onerous challenge because these powerful states often develop and enforce global norms.
As discussed in Section III, however, this criticism may not necessarily be fatal to the solution offered above. Norms with respect to submarine cables and hacking in general appear to be shifting. Smaller states or landlocked states that do not engage in submarine cable hacking have incentives to further develop these norms to protect their citizens’ privacy and governmental data without the counterincentive of preserving the right to hack other states. While this shift may take time to play out, the momentum is in favor of increased recognition of privacy rights as discussed in Section V. Regardless, as hacking increases and as the associated damage from hacking rises, international legal solutions may be more cost effective than patrolling the seas against hacking attempts. Accordingly, states may decide international norms are a more cost-effective way of reducing hacking activity levels.
Seventh, if states elect not to pursue a hacking complaint against another state for geopolitical reasons, the injured cable operator may not be able to use ITLOS to seek a suitable remedy. In most cases, the injured party is likely a corporation. Due to the terrific costs in laying submarine cables, the majority of modern-day cables are owned and laid by private companies and collectives. For example, Google has backed at least 14 cables globally and other tech firms have similarly pursued their own submarine cable systems.198 Accordingly, corporations often foot the bill for cable damage or privacy concerns.199
ITLOS jurisdiction over corporations is somewhat ambiguous but appears limited. Article 20 of the ITLOS charter provides non-state entities can access to the Tribunal for cases where other agreements accepted by all parties in the case confer jurisdiction to ITLOS.200 It is highly unlikely the corporation and the hacking party will have agreed to dispute resolution by ITLOS in the case of hacking. Accordingly, when the corporation’s home country elects not to pursue dispute resolution, ITLOS may not be a viable solution.
This, however, does not entirely eliminate the possibility of enforcing an anti-hacking regime through corporate action. Depending on the jurisdictional limits of the corporation’s home country, corporations can pursue private civil suits against foreign states.201 These actions are generally not taken due to geopolitical concerns, concerns about comity, and questions about where the alleged tort occurred.202 The possibility of these suits, however, raises the specter of private action against hacking malfeasors, which may be worth considering in subsequent analyses beyond the scope of this Comment.
VIII. Conclusion
This Comment examined whether states had any recourse under public international law when foreign states hacked into submarine cables. In so doing, this Comment explored public international law around submarine cables (Section IV) and public international law with respect to hacking (Section V) to conclude states can use the International Tribunal of the Law of the Sea (ITLOS) invoke liability (Section VI). This Comment argued ITLOS would have proper jurisdiction over submarine hacking claims and would be a suitable body to address these complaints due to the weakness of domestic cable protections. This Comment argued states have two avenues for establishing liability through ITLOS: damage to cables or violations of the international right to privacy. This Comment thus invokes broader discussion of how states can seek legal recourse against submarine cable hacking while norms and conventions addressing hacking and submarine cables continue to develop.
- 1See, generally Edward Malecki & Hu Wei, A Wired World: The Evolving Geography of Submarine Cables and the Shift to Asia, 99 Annals Ass’n Am. Geographers 360 (2009).
- 2Greg Miller, Undersea Internet Cables are Surprisingly Vulnerable, Wired (Oct. 29, 2015), https://perma.cc/X53J-XMHA.
- 3Submarine Cable Map, TeleGeography, https://perma.cc/S2SR-FL66 (2021).
- 4Chris Baynes, Entire Country Taken Offline for Two Days After Undersea Internet Cable Cut, Indep. (Apr 11, 2018), https://perma.cc/26LE-P6QD.
- 5Tim Johnson McClatchy, Undersea Cables: Too Valuable to Leave Vulnerable, Gov’t Tech. (Dec. 12, 2017), https://perma.cc/AH3X-TPMX.
- 6Christopher Drew, Divers Say Net Tied Submarine to Listening Device, N.Y. Times (Aug. 9, 2005), https://perma.cc/YXS8-ACXT.
- 7Sophia Ankel, Russian Intelligence Agents Reportedly Went to Ireland to Inspect Undersea Cables, and It’s Reigniting Fears They Could Cut Them and Take Entire Countries Offline, Bus. Insider (Feb. 17, 2020), https://perma.cc/8CE7-V38L.
- 8Doug Brake, Info. Tech. & Innovation Found., Submarine Cables: Critical Infrastructure for Global Communications (2019), https://perma.cc/8YQ8-T9TL.
- 9Anthony Spadafora, Google, Facebook Undersea Web Cable Will No Longer Connect US and Hong Kong, TechRadar (Aug. 31, 2020), https://perma.cc/U8YZ-FXXS.
- 10Justin Sherman, The US-China Battle over the Internet Goes Under the Sea, Wired (June 24, 2020), https://perma.cc/5X8K-8FY4.
- 11Ewen MacAskill, Julian Borger, Nick Hopkins, Nick Davis & James Ball, GCHQ Taps Fibre-optic Cables for Secret Access to the World’s Telecommunciations, The Guardian (June 21, 2013), https://perma.cc/4DGD-HRN5.
- 12Barbara Starr, U.S. Sensors Detect Russian Submarines Near Underwater Cables, CNN (Oct. 28, 2015), https://perma.cc/RL96-QV9L.
- 13Olga Khazan, The Creepy, Long-Standing Practice of Undersea Cable Tapping, The Atlantic (July 16, 2013), https://perma.cc/W8GY-F5R2.
- 14David McCabe, F.C.C. Designates Huawei and ZTE as National Security Threats, N.Y. Times (June 30, 2020), https://perma.cc/PW37-6Z2Y.
- 15Tim Hornyak, Here’s What It Takes to Lay Google’s 9,000km Undersea Cable, ComputerWorld (July 13, 2015), https://perma.cc/EHL6-GSMX (approximately $300 million for a cable between the U.S. and Japan).
- 16James Griffiths, The Global Internet Is Powered by Vast Undersea Cables. But They’re Vulnerable, CNN (July 26, 2019), https://perma.cc/3VJM-LQQD.
- 17Id.
- 18Stewart Ash, The Development of Submarine Cables, in Submarine Cables: The Handbook of Law and Policy 19 (Douglas R. Burnett, Robert C. Beckman & Tara C. Davenport eds., 2014).
- 19Klint Finley, How Google Is Cramming More Data into Its New Atlantic Cable, Wired (Apr. 5, 2019), https://perma.cc/D49P-23GW.
- 20H.I. Sutton, How Russian Spy Submarines Can Interfere with Undersea Internet Cables, Forbes (Aug. 19, 2020), https://perma.cc/5BXR-4CWT.
- 21Yohei Hirose, Japan, US and Australia to Finance Undersea Cable for Palau, Nikkei Asia (Oct. 28, 2020), https://perma.cc/2WXP-FH9D.
- 22Marissa Alcala et al., Financing Subsea Cables in Latin America, Norton Rose Fulbright (June 16, 2020), https://perma.cc/QPG9-QKZW.
- 23Sam Shead, Google Is Building a Huge Undersea Fiber-Optic Cable to Connect the U.S. to Britain and Spain, CNBC (July 28, 2020), https://perma.cc/T3GE-N363.
- 24See generally Isaac Geisler et al., Dep’t of Sys. Eng’g & Operations Res., Geo. Mason Univ., Design of a Transoceanic Cable System (2015), https://perma.cc/7WPB-HRPE.
- 25Griffiths, supra note 16.
- 26Investigators ultimately determined a ship’s anchor was to blame for at least one of four simultaneously damaged cables connecting the Middle East and Europe, but many at the time alleged the cables were damaged by private actors and conspiracy theories still abound. Lily Hay Newman, Cut Undersea Cable Plunges Yemen Into Days-Long Internet Outage, Wired (Jan. 13, 2020), https://perma.cc/C4AF-CLBG; Kim Zetter, Undersea Cables Cut; 14 Countries Lose Web – Updated, Wired (Dec. 19, 2008), https://perma.cc/3TGK-EUHH.
- 27Michael Sechrist, Harv. Kennedy Sch. Belfer Ctr., New Threats, Old Technology: Vulnerabilities in Undersea Communications Cable Network Management Systems (2012), https://perma.cc/953R-MSKW.
- 28New Nuclear Sub Is Said to Have Special Eavesdropping Ability, N.Y. Times (Feb. 20, 2005), https://perma.cc/KDM9-683P.
- 29See Tara M. Davenport, Submarine Cables, Cybersecurity & International Law: An Intersectional Analysis, 24 Cath. U. J.L. & Tech. 57, 103–5 (2015).
- 30Meghan Neal, How to Hack the Backbone of the Internet, Vice (Oct. 31, 2013), https://perma.cc/6MWG-CF3E.
- 31See Khazan, supra note 13.
- 32Id.
- 33Submarine Cables, Nat’l Oceanic & Atmospheric Admin. (NOAA), https://perma.cc/2YKK-DTS3.
- 34Paul Brodsky, Let’s Just Say Demand Is Thriving in the Global Bandwidth Market, Telegeography Dig. (May 1, 2020), https://perma.cc/B245-M8FE.
- 35Data Volume of Global Consumer IP Traffic From 2017 to 2022, Statista (Feb. 2019), https://perma.cc/FY6S-NVT6.
- 36Alex Vaxmonsky, New Subsea Cable Architectures Are Carrying the World’s Traffic, Equinix (Mar. 16, 2020), https://perma.cc/9GHL-WD9A.
- 37Geoff Bennett, Subsea Cable Capacity: Where Do We Go Next?, Submarine Telecoms F. (Sept. 21, 2020), https://perma.cc/8P7K-NKJ3.
- 38Submarine Cable System Market Worth $22.0 Billion by 2025, PR Newswire (Feb. 27, 2020), https://perma.cc/7QTT-LM33.
- 39MacAskill et al., supra note 11.
- 40David E. Sanger & Eric Schmitt, Russian Ships Near Data Cables Are Too Close for U.S. Comfort, N.Y. Times (Oct. 25, 2015), https://perma.cc/WM9H-G9C6.
- 41Xavier Vavasseur, Russia’s Pacific Fleet to Get 15 New Vessels in 2020, Naval News (May 29, 2020), https://perma.cc/39VS-4HZD.
- 42Garrett Hinck, Evaluating the Russian Threat to Undersea Cables, Lawfare (Mar. 5, 2018), https://perma.cc/5RRD-PSX2.
- 43Agence-France Presse, Pacific Data Cable Not Safe from China if Hong Kong Included, Says US, The Guardian (June 17, 2020), https://perma.cc/HWY2-BLAB.
- 44Mark Harris, Google and Facebook Turn Their Backs on Undersea Cable to China, TechCrunch (Feb. 6, 2020), https://perma.cc/D3YQ-55H8.
- 45David E. Sanger & Steven Lee Myers, After a Hiatus, China Accelerates Cyberspying Efforts to Obtain U.S. Technology, N.Y. Times (Nov. 29, 2018), https://perma.cc/KB46-K7SG.
- 46Id.
- 47Jim Newell, Thousands Gather in Washington for Anti-NSA ‘Stop Watching Us’ Rally, The Guardian (Oct. 26, 2013), https://perma.cc/VWF5-AFSN.
- 48The Right to Privacy in the Digital Age, U.N. Hum. Rts. Off. High Comm’r, https://perma.cc/PH43-KGJY.
- 49For attempts to solve this problem and a description of the technical requirements involved, see Lijuan Zhao et al., On-Line Monitoring System of 110 kV Submarine Cable Based on BOTDR, 216 Sensors & Actuators 28 (2014); Ye Yincan et al., Submarine Cable Project Management and Maintenance Monitoring Information System, in Submarine Optical Cable Engineering 259 (Ye Yincan, Jiang Xinmin, Pan Guofu, Jiang Wei eds., 2018).
- 50Could Russia Cut Undersea Communication Cables?, BBC (Dec. 15, 2017), https://perma.cc/XX95-7X7M.
- 51Adam Satariano, How the Internet Travels Across Oceans¸ N.Y. Times (Mar. 10, 2019), https://perma.cc/KVR3-WD5N.
- 52For example, the first submarine cable crossing the English Channel was cut by a fisherman who thought he discovered a new species of seaweed. Eric Wagner, Submarine Cables and Protections Provided by the Law of the Sea, 19 Marine Policy 127, 128 (1995).
- 53Convention for the Protection of Submarine Telegraph Cables, Mar. 14, 1884 [hereinafter 1884 Convention].
- 54Id. art. II (“It is a punishable offence to break or injure a submarine cable, willfully or by culpable negligence, in such manner as might interrupt or obstruct telegraphic communication, either wholly or partially, such punishment being without prejudice to any civil action for damages.”).
- 55Id. art. XII (“The High Contracting Parties engage to take or to propose to their respective legislatures the necessary measures for insuring the execution of the present Convention, and especially for punishing, by either fine or imprisonment, or both, those who contravene the provisions of Articles II, V and VI.”).
- 56Id. art. 17.
- 5747 USC § 21 et seq.
- 58Wagner, supra note 52, at 135.
- 591884 Convention, supra note 53, art. II.
- 60See id. arts. II, IV, VII; see also Douglas Burnett, Tara Davenport & Robert Beckman, Overview of the International Legal Regime, in Submarine Cables: The Handbook of Law and Policy 63, 71–72 (Douglas R. Burnett, Robert C. Beckman & Tara M. Davenport eds., 2014).
- 61Convention on the High Seas, Apr. 29, 1958, 450 U.N.T.S. 82.
- 62Id. art. II.
- 63Id. art. XXVI.
- 64Id.
- 65United Nations Convention on the Law of the Sea, Dec. 10, 1982, 1833 U.N.T.S. 397 [hereinafter referred to as UNCLOS].
- 66UNCLOS, Int’l Union for Conservation of Nature, https://perma.cc/K8ZT-2UXV. For more information on the development of UNCLOS, see generally Myron H. Nordquist, et al., UNCLOS 1982 Commentary (Myron H Nordquist et al. eds., 2012).
- 67UNCLOS, supra note 65, art. II.
- 68Id. art. XXI; Burnett et al., supra note 60, at 76.
- 69Robert Beckman, Protecting Submarine Cables from Intentional Damage, in Submarine Cables: The Handbook of Law and Policy 281, 287 (Douglas R. Burnett, Robert C. Beckman & Tara M. Davenport eds., 2014).
- 70Id at 287.
- 71UNCLOS, supra note 65, art. LVII.
- 72Id.. See generally Kenneth W. Swenson, A Stitch in Time: The Continental Shelf, Environmental Ethics, and Federalism, 60 S. Cal. L. Rev. 851 (1987).
- 73UNCLOS, supra note 65, art. LVI.
- 74Id. art. LVIII.
- 75Id. art. LXXXVIII.
- 76See id. art. LXXIX (referring to the “laying or maintenance” of submarine cables and “repairing” existing cables.”); see also Burnett et al., supra note 60, at 81.
- 77UNCLOS, supra note 65, art. LVIII.
- 78Id. art. LXIII.
- 79Beckman, supra note 69, at 288.
- 80Id.
- 81Zone to Protect Perth Submarine Cables, Australian Comm’n & Media Auth., https://perma.cc/R6RS-Q6G3.
- 82Beckman, supra note 69, at 288.
- 83UNCLOS, supra note 65, art. LXXXVI.
- 84Id. art. LXXXIX (“No state may validly purport to subject any part of the high seas to its sovereignty.”).
- 85Id. art. LXXXVIII..
- 86Id. art. CXII..
- 87Id. art. LXXXVII.
- 88UNCLOS, supra note 65, art. CXIII.
- 89Beckman, supra note 69, at 288; see also Wagner, supra note 52, at 135.
- 90UNCLOS, supra note 65, art. CCLXXXVII. See generally Tullio Treves, Human Rights and the Law of the Sea, 28 Berkeley J. Int’l. L. 1 (2010).
- 91UNCLOS, supra note 65, art. CCLXXXVII.
- 92Id. art. CCXCV.
- 93Id. art. CCLXXXVIII.
- 94List of Cases, International Tribunal for the Law of the Sea, https://perma.cc/ZW45-Y548.
- 95For example, ITLOS adjudicated the maritime boundary between Mauritius and Maldives in the Indian Ocean. See Dispute Concerning Delimitation of the Maritime Boundary Between Mauritius and Maldives in the Indian Ocean (Mauritius v. Maldives), Case No. 28, Special Agreement and Notification of 24 September 2019. In another case, ITLOS provided an advisory opinion for the minimum access conditions and exploitation of fishery resources for the Sub-Regional Fisheries Commission. See Request for Advisory Opinion Submitted by the Sub-Regional Fisheries Commission, Advisory Opinion, 2 April 2015, ITLOS Reports 2015, Case No. 21.
- 96Convention on Cybercrime, Nov. 23, 2001, E.T.S. No. 185.
- 97Amalie M. Weber, The Council of Europe’s Convention on Cybercrime, 18 Berkeley Tech. L.J. 425, 426–30 (2003).
- 98Id. at 428–30.
- 99NATO Cooperative Cyber Def. Ctr. of Excellence, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt ed., 2d ed. 2017) [hereinafter Tallinn Manual].
- 100Id. at 2.
- 101Id. at 4.
- 102Id. at 51.
- 103Id. at 257.
- 104Id. at 233 (“In particular, employing a submarine or unmanned underwater vehicle to tap in territorial or archipelagic waters is inconsistent with the navigational regime of innocent passage as submarines are required to transit on the surface.”)
- 105Id. at 257.
- 106See Oliver J. Lissitzyn & Charles H. Stockton, Electronic Reconnaissance From the High Seas and International Law, 22 Naval War Coll. Rev. 26, 28 (1970).
- 107See, e.g., Roger D. Scott, Territorially Intrusive Intelligence Collection and International Law, 46 A.F. L. Rev. 217, 219 (1999). See also Davenport, supra note 29, at 105.
- 108Tallinn Manual, supra note 99 at 257. But see Davenport, supra note 29, at 105 (“Whether UNCLOS can be used to address the mass surveillance carried out through the tapping of undersea cables is not entirely clear . . . Such surveillance does not fall within conventional perceptions of military activities/intelligence gathering at sea, which as mentioned above, is targeted, and aims at enhancing knowledge of the marine environment and/or the military capabilities of other State’s navies.”).
- 109Tallinn Manual, supra note 99, at 169.
- 110Id. at 170.
- 111Id. at 257.
- 112Id.
- 113For example, a cable fault in the Pacific in 2007 cost $8 million to repair the cable. Michael Matis, The Protection of Undersea Cables: A Global Security Threat, U.S. Army War College (2012), https://perma.cc/34Y8-VLX3.
- 114The Economic Impact of Submarine Cable Outages Can Still be Enormous, SubCable World (Aug. 21, 2017), https://perma.cc/TF2F-QQ7R.
- 115Tallinn Manual, supra note 99, at 170.
- 116Universal Declaration of Human Rights, Dec. 12, 1948, G.A. Res. 217A, U.N. Doc. A/810 art. 12; International Covenant on Civil and Political Rights, Dec. 16, 1966, S. Exec. Rep. 102-23, 999 U.N.T.S. 171. art. 17 [hereinafter ICCPR]; Convention on the Rights of the Child, 20 Nov. 1989, 1577 U.N.T.S. 3 art. 16; Convention on the Rights of Persons with Disabilities, 3 May 2008, 2515 U.N.T.S. 3 art. 22; International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families, 18 December 1990, 2220 U.N.T.S. 39481 art. 14.
- 117Universal Declaration of Human Rights, supra note 116, art. 12.
- 118ICCPR, supra note 116, art. 17.
- 119Francesca Bignami, Human Rights Extraterritoriality: The Right to Privacy and National Security Surveillance, GWU Law School Public Law Research Paper No. 2017-67 (2017).
- 120See, e.g., G.A. Res. 71/199, The Right to Privacy in the Digital Age (Dec. 19, 2016).
- 121Ashley Deeks, An International Legal Framework for Surveillance, 55 Va. J. Int’l L. 291, 311 (2015).
- 122Bignami, supra note 119, at 4.
- 123Hum. Rts. Comm., General Comment no. 31, Nature of the General Legal Obligation on State Parties to the Covenant, ¶ 10, U.N. Doc. CCPR/C/21/Rev.1/Add.13 (May 26, 2004).
- 124Kristian P. Humble, International Law, Surveillance and the Protection of Privacy, Int’l J. Hum. Rts. (2020) 1, 5.
- 125Bignami, supra note 119, at 5.
- 126Humble, supra note 124, at 13.
- 127Stephen J. Schulhofer, An International Right to Privacy? Be Careful What You Wish for, 14 Int’l J. Const. L. 238 (2016).
- 128Asaf Lubin, We Only Spy on Foreigners: The Myth of a Universal Right to Privacy and the Practice of Foreign Mass Surveillance, 18 Chi. J. Int’l L. 502 (2018).
- 129Ronald J. Krotoszynski, Autonomy, Community, and Traditions of Liberty: The Contrast of British and American Privacy Law, 39 Duke L.J. 1398, 1401–02 (1990) (where privacy is defined as “a realm of individual autonomy in recognized and accepted social contexts” that is “defined in relation to a particular society at a particular point in time”).
- 130Beth Van Schaack, The United States’ Position on the Extraterritorial Application of Human Rights Obligations: Now Is the Time for Change, 90 Int’l L. Stud. Ser. US Naval War Col. 20, 32 (2014).
- 131Id. at 31–52.
- 13210 Human Rights Organisations v. United Kingdom¸ Privacy International (July 10, 2019), https://perma.cc/L3YH-VDZX.
- 133Cynthia O’Donoghue & Nona Keyhani, ECtHR Rules on UK Mass Surveillance Under RIPA¸ Reed Smith Technology Law Dispatch (Oct. 25, 2018), https://perma.cc/7EXY-UCLJ.
- 13410 Human Rights Organisations v. United Kingdom, supra note 132.
- 135PI’s Statement on the ECtHR Decision in Privacy International v. UK, Privacy International (Sept. 3, 2020), https://perma.cc/PPD9-NZ2D.
- 136Natasha Lomas, Europe’s Top Court Confirms no Mass Surveillance Without Limits, TechCrunch (Oct. 6, 2020), https://perma.cc/4L9U-U4Y6.
- 137Id.
- 138Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace, 52 Stanford L. Rev. 1315 (2000).
- 139Davenport, supra note 29, at 106.
- 140Tallinn Manual, supra note 99, at 257.
- 141Davenport, supra note 29, at 106 (“Within the EEZ, the discussion above on the controversy surrounding the legality of intelligence gathering activities would also apply—the bottom line is that there is no clear prohibition against the physical tapping of fiber optic cables in the EEZ to be found in UNCLOS.”); Tallinn Manual, supra note 99, at 257 (minding “prejudice to the application of other international legal norms,” cable tapping is not per se illegal on the high seas).
- 142Tallinn Manual, supra note 99, at 257.
- 143Scott Coffen-Smout & Glen J. Herbert, Submarine Cables: A Challenge for Ocean Management¸ 24 Marine Pol’y 441, 444 (2000).
- 144See G.A. Res. 66/231, ⁋ 12 (Apr. 5, 2012); G.A. Res. 67/78, ⁋ 131 (Dec. 11, 2012).
- 145Coffe-Smout & Herbert, supra note 143, at 444.
- 146Tara Davenport, Submarine Communications Cables and Law of the Sea: Problems in Law and Practice, 43 Ocean Dev. & Int’l L. 201 (2012).
- 147Robert Wargo & Tara Davenport, Protecting Submarine Cables from Competing Uses, in Submarine Cables: The Handbook of Law and Policy 255, 263 (eds. Douglas R. Burnett, Robert C. Beckman & Tara M. Davenport) (2014).
- 148Davenport, supra note 29, at 84, 106.
- 149Zoe Scanlon, Addressing the Pitfalls of Exclusive Flag State Jurisdiction: Improving the Legal Regime for the Protection of Submarine Cables, 48 J. Mar. L. & Com. 295, 299 (2017).
- 150Davenport, supra note 29, at 84, 106; see also Nadia Schadlow & Brayden Helwig, Protecting Undersea Cables Must be Made a National Security Priority, Def. News (July 1, 2020), https://perma.cc/BP65-LGX4.
- 151Wargo & Davenport, supra note 147, at 256.
- 152Griffiths, supra note 16.
- 153Tallinn Manual, supra note 99, at 257; see also, Davenport, supra note 29.
- 154UNCLOS, supra note 65, Annex VI, art. XXI. See generally Treves, supra note 90.
- 155UNCLOS, supra note 65, art. CXIII. While fiber optic cables are not strictly telephonic, they are generally presumed to fall under Article 113.
- 156For discussion of the general jurisdictional requirements of ITLOS, see generally Treves, supra note 90.
- 157UNCLOS, supra note 65, art. CXII.
- 158Id. art. CCLXXXVIII.
- 159John E. Noyes, The International Tribunal for the Law of the Sea, 32 Cornell Int’l L. J. 109, 133 (1999).
- 160Anna Petrig & Marta Bo, The Internatjonal Tribunal for the Law of the Sea and Human Rights, in Human Rights Norms in ‘Other’ International Courts 353, 386 (Martin Scheinin ed., 2019).
- 161Id. at 386–91.
- 162UNCLOS, supra note 65, art. CCLXXXXV.
- 163Coffen-Smout & Herbert, supra note 143, at 444.
- 164Id.; Davenport, supra note 29, at 84.
- 165There is some question as to whether weak enforcement regimes, as in Australia or the United States, would be sufficient to evade ITLOS jurisdiction. States, however, can likely still obtain jurisdiction over this question.
- 166Davenport, supra note 29, at 106.
- 167Id. at 84, 106.
- 168Matis, supra note 113.
- 169The Economic Impact of Submarine Cable Outages Can Still Be Enormous, supra note 114.
- 170UNCLOS, supra note 65, art. CXIII.
- 171M/V Saiga (No. 2) (St. Vincent v. Guinea), Case No. 2, Memorial of St. Vincent of June 19, 1998, 2 ITLOS Rep. 13, ¶ 95.
- 172Guyana v. Suriname, 47 I.L.M. 166, ¶ 405 (Perm. Ct. Arb. 2007).
- 173UNCLOS, supra note 65, art. CCLXXXXIII.
- 174Suriname, 47 I.L.M. 166.
- 175Chao Zhang, Russian Absence at the Arctic Sunrise Case: A Comparison with the Chinese Position in the South China Sea Arbitration, 8 J. E. Asia & Int’l L. 413, 414 (2015).
- 176UNCLOS, supra note 65, art. CCLXXXXIII; Noyes, supra note 159, at 124.
- 177Mark Harris, How US National Security Agencies Hold the Internet Hostage, TechCrunch (July 18, 2019), https://perma.cc/J4UV-HNNM.
- 17810 Human Rights Organisations v. United Kingdom, supra note 132.
- 179Lomas, supra note 136.
- 180Melissa Eddy, Right to Privacy Extends to Foreign Internet Users, German Court Rules, N.Y. Times (May 19, 2020), https://perma.cc/GVU4-X7L5.
- 181Frederic Gilles Sourgens, The Privacy Principle, 42 Yale J. Int’l L. 345, 354 (2017); see also Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 2004 I.C.J. 136 (July 9).
- 182United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J. 3, 35 (May 24) (finding expulsion of the spying diplomat was the proper remedy); Libananco Holdings Co. Limited v. Republic of Turkey, ICSID Case No. ARB/06/8, Decision on Preliminary Issues, 1 43 (June 23, 2008) (finding states can intercept communications as part of lawful criminal investigations).
- 183Van Schaack, supra note 130, at 32.
- 184See generally Petrig & Bo, supra note 160.
- 185M/V Saiga (No.2) (St. Vincent v. Guinea), Judgment of July 1, 1999, ITLOS Rep., 10.
- 186Id. ⁋ 15; see also Treves, supra note 90, at 5.
- 187Petrig & Bo, supra note 160, at 382–85, 386–91.
- 188Id. at 391.
- 189See generally Francesca Delfino, ‘Considerations of Humanity’ in the Jurisprudence of ITLOS and UNCLOS Arbitral Tribunals, in Interpretations of the United Nations Convention on the Law of the Sea by International Courts and Tribunals 421 (Angela Del Vecchio & Roberto Virzo eds., 2019).
- 190Petrig & Bo, supra note 160, at 380.
- 191See Davenport, supra note 29, at 84; Scanlon, supra note 149, at 299–301.
- 192Tallinn Manual, supra note 99, at 170.
- 193Will Schrepferman, Hypocri-Sea: The United States’ Failure to Join the UN Convention on the Law of the Sea, Harv Int’l R. (Oct. 31, 2019), https://perma.cc/DG73-SR5A.
- 194Id.
- 195Noyes, supra note 159, at 154.
- 196Craig H. Allen, ITLOS Orders Russia to Release ARCTIC SUNRISE and Its Greenpeace Protestors, OpinioJuris (Nov. 25, 2013), https://perma.cc/RZ7S-SQPT.
- 197Bignami, supra note 119, at 5.
- 198Winston Qiu, Complete List of Google’s Subsea Cable Investments, Submarine Cable Networks (July 9, 2019), https://perma.cc/3KL8-T4PK.
- 199Many corporations form cable cooperatives to share repair and installation costs. See, for example, the Atlantic Cable Maintenance & Repair Agreement. About, ACMA, https://perma.cc/DXF6-NPFM.
- 200Noyes, supra note 159, at 132.
- 201See, generally Rebecca Crootof, International Cybertorts: Expanding State Accountability in Cyberspace, 103 Cornell L. Rev. 565 (2018).
- 202See generally Samantha N. Sergent, Extinguishing the Firewall: Addressing the Jurisdictional Challenges to Bringing the Cyber Tort Suits Against Foreign Sovereigns, 72 Vand. L. Rev. 391 (2019).